Mini Shai-Hulud returns, compromising hundreds of npm packages

Source Domain: cyberscoop.com

Mini Shai-Hulud, a self-replicating malware campaign attributed to TeamPCP, has been resurgent by infiltrating hundreds of npm packages. This latest variant is more advanced than previous waves, leveraging autonomous spread and persistent backdoor installations at the operating system level. Unlike past versions, the malware continues its malicious activities even after a package is removed from the environment due to hidden embeddings in developer tools configuration files and OS-level background services. The malware initially installs itself when an infected package is installed, subsequently harvesting tokens, SSH keys, and credentials from development environments. Once credentials are stolen, the malware can push malicious package versions to the npm registry under legitimate maintainer accounts, increasing its reach. Organizations are advised to treat any infected machine or continuous integration runner as fully compromised until all forms of persistence are removed and recent activities reviewed. Popular data visualization software, such as Alibaba’s AntV, and utility libraries like echarts-for-react have been among its targets.

Key Points:
– Mini Shai-Hulud is a self-replicating malware embedded in npm packages, capable of autonomous propagation.
– The campaign deploys persistent backdoors that remain even after affected packages are removed.
– The malware actively harvests credentials and software tokens, and uses infected CI/CD pipelines to spread further.
– Targeted packages include popular tools like AntV, echarts-for-react, and timeago.js.
– Infected systems should be deemed compromised until all malware persistence is eradicated, and actions are taken to review recent activities.